Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66677)

EPSS 0% CVSS 6.5
MEDIUM This Month

Uninitialized memory consumption in libxls 1.6.3 and earlier exposes server-side applications that parse XLS files to application crashes and potential heap memory disclosure. The flaw resides in the OLE container parser: read_MSAT() allocates memory for the Master Sector Allocation Table without fully initializing it, then passes it to ole2_validate_sector_chain(), which may read uninitialized bytes from the heap. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication or user interaction is required - a remote attacker need only supply a crafted XLS file to an application that uses libxls as a parsing backend. No public exploit code or CISA KEV listing exists at time of analysis; EPSS stands at 0.02% (5th percentile), indicating very low observed exploitation activity.

Information Disclosure Suse
NVD GitHub VulDB
EPSS 0% CVSS 1.1
LOW Monitor

SHA-1 hash collisions in mlrun's DataFrame Hash Handler allow a local authenticated user to corrupt dataset artifact integrity in ML pipelines up to version 1.12.0-rc3. The `calculate_dataframe_hash` function in `mlrun/utils/helpers.py` uses SHA-1 over raw pandas hash bytes without encoding type or schema information, meaning structurally distinct DataFrames - differing only in column dtype (e.g., bool vs int, int8 vs int64, datetime64[ns] vs int64) - produce identical hashes. Publicly available exploit code exists (disclosed via GitHub issue #9691 and PR #9692 with concrete collision test cases); no active exploitation is confirmed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure weakness in Securly Chrome Extension version 3.0.7 stems from continued reliance on the deprecated SHA-1 algorithm to hash and match 25,020 IWF CSAM URLs and 12,352 CIPA blocklist URLs. Because SHA-1 is vulnerable to collision attacks, an adversary with knowledge of the hash list could derive or guess matching URLs, exposing sensitive blocklist contents and undermining the integrity of the content-filtering mechanism. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue was reported through CERT/CC (VU#595768), giving it credible vendor-coordinated provenance.

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Cryptographic weakness in Securly Chrome Extension version 3.0.7 and earlier exposes AES-encrypted data to recovery attacks because the extension derives keys using EVP_BytesToKey with MD5 and only a single iteration. Remote attackers who can obtain ciphertext from the extension's storage or network exchanges can feasibly brute-force or precompute keys, leading to disclosure of protected information. EPSS is very low (0.01%), no public exploit has been identified, and the issue is not listed in CISA KEV.

Information Disclosure Google Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in Securly Chrome Extension version 3.0.7 allows remote unauthenticated attackers to retrieve SHA-1 hashes via publicly accessible endpoints, where the hashes are weakly protected by a reversible Caesar cipher. The flaw enables recovery of sensitive identifiers protecting filtered content data, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating very low predicted exploitation activity.

Information Disclosure Google Chrome
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cleartext transmission in Securly Chrome Extension version 3.0.7 exposes crisis alert keyword lists and content filtering rules to adjacent network attackers because the extension fetches these JSON configuration files over plaintext HTTP while other endpoints in the same extension correctly use HTTPS. An adjacent attacker on the same network segment can intercept or tamper with the filtering policy data, undermining the safety controls Securly is meant to enforce on managed Chromebooks. No public exploit identified at time of analysis and EPSS is very low at 0.01%, but a vendor patch is available.

Information Disclosure Google Chrome
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.

Information Disclosure Memory Corruption Linux
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.

Information Disclosure Jwt Attack Linux
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.

Information Disclosure Ironic
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows unauthenticated attackers to reboot. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sc 6002Xl Sc6802Xl +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free race condition in OP-TEE OS versions 3.16.0 through 4.10.x enables local low-privileged attackers to corrupt memory within the secure world when OP-TEE is built as an FF-A Secure Partition Manager Core (SPMC) for S-EL0 Secure Partitions. The flaw stems from missing lock acquisition in sp_mem_remove() during shared-memory teardown, allowing concurrent threads to dereference freed sp_mem_map_region or sp_mem_receiver objects. No public exploit identified at time of analysis, but successful exploitation yields high confidentiality, integrity, and availability impact inside the Trusted Execution Environment.

Information Disclosure Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.

Information Disclosure Race Condition Linux +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.

Information Disclosure Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the CVSS 9.1 reflects high integrity and availability impact via unauthenticated network reachability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.

Information Disclosure Linux Use After Free +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.

Amd Buffer Overflow Linux +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.

Debian Buffer Overflow Linux +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper locking in the Linux kernel regulator subsystem's `regulator_resolve_supply()` error path allows a local low-privileged attacker to trigger a kernel crash or denial of service. The error path invokes `_regulator_put()` without holding the required `regulator_list_mutex`, producing a lockdep warning and exposing an unguarded concurrent access window when clearing the `rdev` supply pointer. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation probability is very low.

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.

Information Disclosure Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Canonical Cpython
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Incorrect cache storage in Django's UpdateCacheMiddleware exposes responses that should have been excluded from caching due to uppercase or mixed-case Cache-Control directives (e.g., 'Private', 'NO-STORE'). Affected versions 5.2.x before 5.2.15 and 6.0.x before 6.0.6 fail to perform case-insensitive comparison of Cache-Control directive strings, causing the middleware to cache responses it should skip, which remote attackers can then retrieve. No public exploit has been identified at time of analysis, and active exploitation is not confirmed; the low CVSS 4.0 score of 2.3 accurately reflects limited scope, though real-world impact scales with how sensitive the incorrectly cached data is.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Django's SMTP email backend silently downgrades to cleartext transmission when a STARTTLS handshake fails under the `fail_silently=True` configuration, exposing email content to on-path network interception. Affected are Django 6.0.x before 6.0.6 and 5.2.x before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be vulnerable. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and mandatory on-path network positioning required for exploitation.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache-bypass information disclosure in Django's `has_vary_header()` utility allows remote attackers to read cached HTTP responses intended for other users by exploiting improper whitespace handling in `Vary` header comparisons. Affected versions are Django 5.2.x before 5.2.15 and 6.0.x before 6.0.6; earlier unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected per the vendor. The CVSS 4.0 score of 2.3 reflects constrained real-world impact requiring both a non-default prerequisite condition and user interaction, with no public exploit or confirmed active exploitation identified at time of analysis.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache information disclosure in Django 5.2.x and 6.0.x allows remote unauthenticated attackers to read private authenticated responses served from shared caching layers. The `UpdateCacheMiddleware` component omits `Authorization` from the `Vary` response header when authenticated requests lack an explicit `Cache-Control: public` directive, causing caches to serve authenticated users' responses to subsequent unauthenticated requestors at the same URL. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects meaningful - but constrained - real-world impact gated behind specific deployment prerequisites.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Synology
NVD
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Integer overflow in the cilium/ebpf Go library (versions up to 0.21.0) allows a local authenticated user to cause an availability impact by supplying crafted BPF Type Format (BTF) data to the LoadCollectionSpec or LoadCollectionSpecFromReader APIs. The flaw resides in the loadRawSpec function where 32-bit header field arithmetic was performed using signed int types, enabling overflow to bypass bounds checks on StringOff, StringLen, TypeOff, and TypeLen fields. No public exploit identified at time of analysis as a KEV listing, though publicly available exploit code exists per VulDB and the CVSS temporal component E:P confirms a proof-of-concept is circulating.

Information Disclosure Integer Overflow Ebpf
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privileged remote user to terminate arbitrary processes on the device via the ugw-logstop method, which fails to validate user-supplied input. No public exploit identified at time of analysis, but the bug affects a broad set of MBS industrial protocol gateways (Single-A, Double-A Profibus/X-Link, Single-X, Double-X CAN/DALI/KNX/LON/M-Bus/Profinet) used in building and industrial automation. CVSS 4.0 base is 7.2 reflecting High integrity and availability impact with only low privileges required.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files on the device through the ugw-restoreinfo method, which fails to validate user-controlled path input (CWE-73). The flaw, reported by CERT@VDE and tracked under VDE-2026-039, affects the Single-A, Double-A (Profibus/X-Link), Single-X, and Double-X (CAN/DALI/KNX/LON/M-Bus/Profinet) fieldbus gateway product lines used in industrial and building automation. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege user accounts to delete arbitrary files on the device by abusing the ugw-restore method, which fails to validate user-controlled path input. The vulnerability affects multiple MBS gateway variants (Single-A, Double-A Profibus/X-Link, Single-X, and Double-X CAN/DALI/KNX/LON/M-Bus/Profinet bridges) used in industrial fieldbus integration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete local files on the device via the ugw-logstop method, which fails to validate user-supplied path input. The flaw affects MBS Single-A, Double-A (Profibus, X-link), Single-X, and Double-X (CAN, DALI, KNX, LON, M-Bus, Profinet) industrial protocol gateways. No public exploit identified at time of analysis, but the low-complexity, low-privilege attack profile makes this a credible threat to availability of industrial control system gateways.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove any file on the device filesystem by abusing the ugw-delete-file method, which fails to validate user-controlled path input (CWE-73). With CVSS 4.0 score 7.2 and PR:L, exploitation requires only a low-privileged account, and successful abuse impacts integrity and availability of the gateway (VI:H/VA:H). No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across Profibus, Profinet, KNX, LON, M-Bus, DALI, CAN, and X-Link protocols) allows authenticated remote attackers to remove arbitrary files on the device via the bac-scanresult method, which fails to validate user-controlled path input. Reported by CERTVDE under advisory VDE-2026-039, no public exploit identified at time of analysis. The CVSS 4.0 score of 7.2 reflects high integrity and availability impact achievable with only low-privileged user credentials.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families) allows remote unauthenticated attackers to extract a hard-coded default password embedded in the firmware image and use it to obtain full administrative control of any affected device. With a CVSS 4.0 score of 9.3 and the vulnerability reported through CERT@VDE under advisory VDE-2026-039, the issue is severe because the recovered credential is shared across the device line, but at the time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Single A Double A Profibus +16
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Phoenix Contact CHARX SEC-3000/3050/3100/3150 EV charging controllers allows an unauthenticated attacker on an adjacent network to download controller log files containing restricted information. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication make opportunistic abuse straightforward once an attacker reaches the same network segment. Reported via CERT@VDE under advisory VDE-2026-060.

Information Disclosure Charx Sec 3150 Charx Sec 3100 +2
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Unauthorized file or directory access in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to read, modify, or otherwise interact with resources that should not be externally reachable, with CVSS 4.0 scoring 7.3 due to high confidentiality and availability impact plus scope change to subsequent systems. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and was disclosed by ABB itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Abb Path Traversal
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Request Smuggling Authentication Bypass +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

File inclusion in SourceCodester Online Food Ordering System 2.0 allows remote attackers to manipulate the 'page' parameter of /index.php to include arbitrary files via the application's include() function. Publicly available exploit code exists (referenced on GitHub), and the CVSS 7.3 score combined with no authentication or user interaction requirements (AV:N/AC:L/PR:N/UI:N) makes this trivially exploitable against any exposed deployment. The vulnerability falls under CWE-73 (External Control of File Name or Path) and primarily enables information disclosure, though depending on PHP configuration it may escalate to code execution.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated LAN-to-WAN admin panel exposure in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows any device on the local network to publish the router's own administrative interface to the public internet via a single UPnP SOAP request. Because the device fails to reject loopback and its own LAN IP as the InternalClient in AddPortMapping requests, an attacker can pivot a temporary LAN foothold into a permanent, internet-reachable management plane exposure. No public exploit is identified at time of analysis, but the technique is trivial and well-documented in the referenced advisory.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.

Information Disclosure Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

DNS version disclosure on Mercusys AC12G (EU) V1 router exposes the internal unbound 1.22.0 resolver version to unauthenticated adjacent-network attackers via CHAOS TXT queries. Any host on the same network segment can query 'version.bind' and receive a precise software version string, enabling targeted reconnaissance against known unbound vulnerabilities. No active exploitation or public exploit code has been identified at time of analysis, but the disclosure materially reduces attacker effort in follow-on attacks.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Cleartext credential exposure in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows a network-positioned attacker to intercept DDNS service credentials in transit. The firmware transmits DDNS credentials over plaintext HTTP with only Base64 encoding - an encoding scheme, not encryption - and contains no TLS implementation whatsoever. A successful man-in-the-middle interception results in full credential disclosure (C:H), enabling an attacker to hijack the associated DDNS hostname and redirect domain traffic. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Information disclosure in Mercusys AC12G (EU) V1 router firmware AC12G(EU)_V1_200909 leaks 128 bytes of uninitialized memory when the UPnP service on port 1900 receives POST requests lacking a SOAPAction header, enabling unauthenticated adjacent-network attackers to harvest internal buffer contents. The flaw is rated CVSS 7.3 (low impact across CIA), and no public exploit identified at time of analysis, though the referenced GitHub advisory documents the issue with reproduction details.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Kernel pointer disclosure in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows unauthenticated adjacent-network attackers to obtain raw MIPS KSEG0 kernel addresses through the UPnP GetStatusInfo action, effectively defeating kernel address-space layout randomization on the device. The leaked pointer reveals the kernel memory map and is most useful as a precursor to a more severe exploit chain rather than as a standalone attack - its primary value is enabling reliable offset calculation for subsequent memory corruption attacks. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and the vulnerability is not listed in CISA KEV.

Information Disclosure N A
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated information disclosure in the Mercusys AC12G (EU) V1 router allows any attacker on the adjacent network to retrieve internal buffer contents by querying an undocumented `/agileconfigreset` HTTP endpoint, confirmed for firmware version AC12G(EU)_V1_200909. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, though exploitation is bounded to the local network segment rather than the internet. No public exploit has been identified at time of analysis, and no vendor patch has been confirmed.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authentication brute-force weakness in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows an attacker on the adjacent network to enumerate the admin password without triggering any lockout. The flaw stems from the TDDP password-change endpoint (code=10) lacking the rate limiting that is enforced on the login endpoint (code=7), giving attackers unlimited guessing attempts. No public exploit identified at time of analysis, but a third-party advisory has been published on GitHub.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Authentication token recovery in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows network-based attackers to decrypt captured login credentials and recover plaintext administrator passwords. The flaw stems from a static authentication nonce that never rotates for requests originating from the same source IP, combined with a weak XOR-based password encoding routine (securityEncode). A public advisory exists on GitHub, but no public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

WPS 2.0 brute-force exposure on the Mercusys AC12G (EU) V1 router allows an adjacent unauthenticated attacker to recover Wi-Fi credentials by exhausting the WPS PIN space against a trivially bypassed lockout policy of only 60 seconds per 10 attempts. Firmware version AC12G(EU)_V1_200909 ships with WPS 2.0 enabled by default, meaning no user reconfiguration is required to be vulnerable. Successful exploitation yields full confidentiality and integrity compromise of the wireless network (C:H/I:H), effectively granting the attacker LAN access. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.02% reflects low widespread exploitation probability but does not reduce risk for targeted home or small-office environments.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

LibreChat's MCP server configuration API leaks decrypted admin-managed credentials - including plaintext API keys and OAuth client secrets - to any authenticated user holding only VIEW-level access to a shared MCP server. All deployments running versions up to and including 0.8.3 are affected, with the flaw accessible via standard GET requests to `/api/mcp/servers` and `/api/mcp/servers/:serverName`. No public exploit or active exploitation has been identified at time of analysis, but the low-complexity, low-privilege network vector makes credential exfiltration straightforward in any multi-user LibreChat environment.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

Code injection in ahujasid/blender-mcp's execute_blender_code function allows low-privileged remote attackers with passive user interaction to inject and execute arbitrary code through the unsanitized code argument passed to the MCP server endpoint in /src/blender_mcp/server.py. All commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, with no maintainer response to the disclosed GitHub issue #201. A public exploit exists (E:P in CVSS vector; independently confirmed by description), though no public exploit identified at time of analysis for active KEV-tracked campaigns - exploitation remains opportunistic rather than confirmed widespread.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.

Information Disclosure PHP Qloapps
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Algorithmic complexity denial of service in the Go standard library's mime package allows remote unauthenticated attackers to consume excessive CPU by submitting MIME headers containing many invalid encoded-words. Affected Go releases include mime versions before 1.25.11 and 1.26.0-0 through versions prior to 1.26.4, with a patch available from upstream Go. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the network-reachable, no-auth attack surface makes this relevant for any Go service that parses untrusted MIME input.

Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Quadratic-complexity denial-of-service in Go's crypto/x509 package allows a network-positioned attacker presenting a certificate with a large DNS Subject Alternative Name list to exhaust CPU on the verifying party. The root cause is that VerifyHostname called strings.Split(host, ".") inside a loop over every DNS SAN entry rather than computing it once, scaling work as O(SANs × hostname_labels). Critically, x509.Verify performs hostname validation before chain building, meaning even untrusted, self-signed certificates trigger the expensive computation - no valid CA-issued certificate is required. No public exploit is identified at time of analysis, and EPSS is 0.00%, consistent with a newly-disclosed algorithmic complexity issue without weaponized tooling.

Information Disclosure Crypto X509
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-Side Request Forgery and arbitrary file read in ahujasid/blender-mcp allows authenticated remote attackers to exfiltrate local filesystem content or pivot to internal network services via unsanitized manipulation of the input_image_url parameter in the generate_hunyuan3d_model function (src/blender_mcp/server.py). The parameter is passed without validation directly to both open() for local file reads and requests.get() for remote fetches, enabling path traversal and SSRF primitives simultaneously. A publicly available exploit exists (GitHub issue #202); no CISA KEV listing at time of analysis. The fix has been merged upstream (PR #205, commit 5b37be25).

Information Disclosure Blender Mcp
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Physical USB tampering against Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations allows an attacker with bedside access to compromise software integrity, alter therapy data, and pivot to connected networks or Dräger Service Connect. The flaw, disclosed by VulnCheck and tracked under CWE-668 (Exposure of Resource to Wrong Sphere), carries a CVSS 4.0 base score of 7.0 reflecting high impact across confidentiality, integrity, and availability of the device itself. There is no public exploit identified at time of analysis and no CISA KEV listing, but the medical-device context elevates patient-safety concern even at moderate technical severity.

Information Disclosure Zeus Ie Zeus Rs C500
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in Docker Desktop versions 4.33.0 through 4.75.x allows a local low-privileged user inside a container to crash the underlying Linux VM by triggering unbounded recursion in the grpcfuse kernel module. The flaw is exercised by creating deeply nested directories on a bind-mounted host folder and forcing a dentry invalidation event, which panics the virtualization layer that backs the entire Docker engine. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Docker Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Credential leakage in elixir-tesla (Tesla HTTP client for Elixir) versions 1.4.0 through 1.18.2 allows Authorization and Host headers to be forwarded to attacker-controlled origins during cross-origin HTTP redirects. The Tesla.Middleware.FollowRedirects component compares header names case-sensitively against a lowercase filter list, so headers using the RFC 7235 canonical casing (e.g., 'Authorization') bypass stripping and reach the redirect target. No public exploit identified at time of analysis, but the upstream fix is committed and a patched release (1.18.3) is available.

Information Disclosure Canonical
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Information disclosure in AWS Graph Explorer before v3.0.1 occurs because the bundled proxy server silently falls back to plaintext HTTP when its TLS certificate files cannot be loaded, causing requests intended for HTTPS to traverse the network unencrypted. Network-positioned attackers can intercept these requests and harvest sensitive graph queries, headers, or credentials. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Graph Explorer
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Cross-origin cookie leakage in aiohttp prior to 3.14.0 allows sensitive per-request cookies to be forwarded to attacker-controlled domains when a redirect is followed. When application code passes cookies via the `cookies` parameter of an aiohttp request, those cookies are not dropped upon following a cross-origin redirect - violating the origin isolation guarantee users expect. An attacker who can influence redirect responses (e.g., via a compromised or malicious upstream server) can harvest cookie values intended only for the original origin. No public exploit identified at time of analysis; EPSS data not provided in source intelligence.

Information Disclosure Python
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

JIT miscompilation in Firefox's JavaScript engine exposes users to a denial-of-service condition when visiting attacker-controlled web content. The vulnerability stems from a type confusion flaw (CWE-843) in the JIT compiler component, where incorrect type assumptions during optimization can corrupt memory state and crash the browser. No active exploitation has been confirmed (no CISA KEV listing), EPSS stands at 0.02% (5th percentile), and vendor-released patch Firefox 151.0.3 is available per Mozilla advisory mfsa2026-54.

Information Disclosure Memory Corruption Mozilla
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NVTabular allows a low-privileged attacker to abuse insecure deserialization of untrusted data, potentially leading to arbitrary code execution, data tampering, and information disclosure on the host running the library. The flaw carries a CVSS 7.8 (High) rating with confidentiality, integrity, and availability all marked High, and currently no public exploit identified at time of analysis. NVTabular is a tabular feature-engineering library used in recommender-system pipelines, so the practical blast radius is data-science workstations and ML training nodes.

Nvidia RCE Deserialization +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local code execution in NVIDIA NVTabular allows an authenticated low-privileged user to abuse improper deserialization of untrusted data to run arbitrary code, tamper with data, and disclose sensitive information. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting a local attack vector with low complexity and low privileges; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Nvidia RCE Deserialization +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Physical access to Dell ThinOS 10 endpoints running versions prior to ThinOS10 2602_10.0765 allows an unauthenticated attacker to bypass access controls, exposing sensitive information with high confidentiality and integrity impact. The flaw, rooted in CWE-284 (Improper Access Control), enables circumvention of authentication or authorization mechanisms at the device level without requiring prior credentials. No active exploitation has been confirmed (not in CISA KEV) and no public exploit has been identified; Dell has released a patched build addressing this issue.

Dell Information Disclosure Authentication Bypass
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

HCL iReflection Third party vulnerable and outdated components issue was detected in the web application. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Ireflection
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Improper access control in Klaw, the Aiven-Open self-service Apache Kafka governance portal, exposes user password hashes to unauthenticated remote attackers in all versions prior to 2.10.4. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network without any authentication or user interaction, making it trivially reachable in internet-exposed deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the unauthenticated network vector lowers the bar significantly for opportunistic attackers seeking credential material.

Information Disclosure Apache Klaw
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileges on the main server host to retrieve Server Admin credentials, enabling escalation to full Security Center administrative control. The flaw is tied to specific vulnerable installer builds rather than version numbers, meaning hosts running 5.10.4.0, 5.11.3.0, 5.12.2.0 or 5.13.3.0 may or may not be vulnerable depending on the installation package hash. No public exploit identified at time of analysis and no evidence of active exploitation per the vendor advisory.

Information Disclosure Genetec Security Center
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Cleartext SIP signaling in Verizon's VoLTE/IMS infrastructure allows an on-path attacker positioned on the radio or core network to intercept and tamper with VoIP call signaling because IPsec integrity protection (Security-Client/Security-Server headers and ESP-protected traffic) is not enforced. The flaw, reported by CERT/CC and tracked as EUVD-2026-33945, affects an unspecified Verizon IMS deployment and enables disclosure of call metadata, caller identity spoofing, and signaling manipulation. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.

Information Disclosure Volte
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Default credential exposure in Roche Diagnostics navify Digital Pathology (versions 2.0.0 through 2.4.0) lets remote unauthenticated attackers log into the embedded RabbitMQ Management interface using factory-shipped usernames and passwords. CVSS 4.0 rates the issue 8.8 with network attack vector and no privileges required, and no public exploit identified at time of analysis. Successful access exposes message-broker administration, enabling data interception, queue manipulation, and downstream tampering with pathology workflows.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Sitefinity
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Symlink following in Gleam's Hex package export pipeline silently embeds arbitrary local files into published package artifacts, enabling credential exfiltration via supply chain. Affected versions span 0.10.0-rc1 through the 1.16.x line, with the fix landing in 1.17.0. An authenticated attacker with write access to a Gleam repository can plant a symlink in a tracked publishable directory (src/, priv/), causing a maintainer's sensitive local files - SSH keys, API tokens, CI secrets - to be bundled into the publicly distributed Hex tarball without any warning. No public exploit identified and no CISA KEV listing at time of analysis, but the attack is trivially repeatable using standard shell tooling.

Information Disclosure Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Sensitive configuration data exposure in Siemens RUGGEDCOM RST2428P industrial network switch (all firmware versions before V4.0) allows authenticated attackers to retrieve confidential information from the browser cache. The web management interface fails to enforce proper cache-control directives when an authenticated user performs specific configuration modification workflows, persisting sensitive data in the local browser cache. No public exploit code exists and the vulnerability is not listed in CISA KEV, though the High confidentiality impact (VC:H) on the vulnerable component elevates concern for OT/industrial network environments where configuration data can expose network topology or credentials.

Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

LFI Information Disclosure PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.

LFI Information Disclosure PHP
NVD
Prev Page 36 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66677

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy